The benefit of using the Internet to obtain access to the wealth of information available online and that portion of the Internet comprising the World Wide Web (WWW) is widely recognized. Traditional ways of accessing the Internet have in the past been performed through stationary access points such as at work, school, or at home. The concept of stationary access points has been at the root of the Internet model from the beginning. By way of example, Internet Protocol (IP) routes packets to their destinations according to their IP addresses. The IP addresses are associated with a fixed physical location much the same way as conventional phone numbers are associated with the physical locations of fixed line phones. This association with the physical location allows IP packets to be routed to their intended destination in an efficient and effective way.
The traditional concept of connectivity has undergone changes caused by the trend toward mobility as witnessed, for example, by the transition to mobile telephony in recent years. Mobile computing is another area that is gaining popularity where benefits can be clearly achieved by allowing users the freedom of carrying out their work irrespective of their location. Furthermore, reliable access to the Internet, and services available in the Internet, will enable mobile networking to provide improved productivity for all users by freeing them from the ties that bind us to the office. More and more the trend is moving toward wireless connections that provide even more freedom by allowing access from virtually any location such as on airplanes and in automobiles, for example.
One of the primary concerns with IP content, computing and communication is that of security. The open nature of the Internet inherently exposes transmitted packets to security issues which are compounded by the movement of mobile nodes between different sub-networks. To deal with these issues, an IP security protocol (or simply IPsec) has been developed, such as that specified in Internet Engineering Task Force (IETF) request for comment document RFC 2401, entitled: Security Architecture for the Internet Protocol, the contents of which are hereby incorporated by reference in its entirety. In this regard, IPsec was developed to provide end-to-end security for the payload of packets when transmitting between IP hosts. This is chiefly accomplished by providing the hosts with datagram-level authentication and encryption of packets, typically by using symmetric cryptography that requires the use of the same keys at both ends. A key management protocol such as Internet Key Exchange (IKE) can be used to generate the symmetric keys for use in an IPsec stack such as that employed in a Virtual Private Network (VPN).
As will be appreciated by those skilled in the art, a VPN is a logical network located within one or more physical networks. A VPN can be used to securely access resources, such as email or Intranet resources, of an enterprise. Additionally or alternatively, a VPN can be used to securely communicate across local area networks, one or more of which may be included within an Intranet of an enterprise. In operation, an IPsec VPN-enabled host, or VPN gateway, maintains security policies in a Security Policy Database (SPD) populated with a number of selectors, as specified in RFC 2401, for example. The SPD identifies which kind of security is applied for traffic across the VPN gateway. For example, a security policy may require that all traffic packets are tunneled with an Encapsulating Security Payload (ESP) to a VPN gateway, with the exception of certain packets which are passed through without IP processing. The example of the aforementioned security policy, then, can be performed and effected on all packets passing through the VPN gateway.
Conventionally, clients have only been permitted to establish a communication over a single VPN at any given time. More particularly, conventional clients have only been permitted to activate a single VPN policy for a respective VPN at any given time. In this regard, at any point in time, such “single-homed” clients have only permitted a single active data connection and respective network interface. To improve upon such “single-homed” clients, however, “multi-homed” clients have been developed that permit simultaneous connections at any given time, including simultaneous connections over multiple VPNs. For example, mobile handheld terminals functioning in accordance with operating systems such as those developed by Symbian Limited of the United Kingdom are capable of permitting multiple simultaneously active data connections and respective network interfaces. In such instances, each network interface typically has its own IP address, routing information and associated Domain Name System (DNS) server addresses. In addition, each interface and respective data connection of a “multi-homed” client typically belong to a particular logical network defined locally in the client and identified by a network ID.
Communication over a VPN typically requires a client to establish a VPN connection by establishing communication with an access point to the physical network(s) including the respective VPN, and thereafter loading or activating the VPN policy for the respective VPN. Likewise, a client typically must terminate a VPN connection by unloading or deactivating the VPN policy for the respective VPN, and thereafter terminating communication with the access point. Whereas such a procedure for initiating and terminating such VPN connections is adequate for facilitating communication over a VPN, such a procedure can place an undesirable burden on the client, or more particularly the client user. And as will be appreciated, such a burden can typically increase as the number of simultaneous VPN and other connections of clients increase in “multi-homed” clients.